System and Method for Network Level Protection Against Malicious Software

US 20120030750A1
Filed: 07/28/2010
Published: 02/02/2012
Est. Priority Date: 07/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;

evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and

creating a restriction rule to block the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

259 Citations

33 Claims

1. A method, comprising:
- receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;
  
  evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and
  
  creating a restriction rule to block the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising pushing the restriction rule to a network protection device, wherein the network protection device intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic.
  - 3. The method of claim 2, wherein the network traffic intercepted by the network protection device includes outbound electronic packets from the first computing device, the electronic packets having a destination address corresponding to a second computing device.
  - 4. The method of claim 2, wherein the network traffic intercepted by the network protection device includes inbound electronic packets received from a second computing device and having a destination address corresponding to the first computing device.
  - 5. The method of claim 1, further comprising:
    - searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file, wherein the trust status of the software program file is defined as untrusted if the software program file is not included in the whitelist.
  - 6. The method of claim 5, wherein the network traffic is not permitted if the trust status of the software program file is defined as untrusted.
  - 7. The method of claim 1, wherein the software program file is an executable file and the network access attempt is associated with an executing software process initiated by the executable file on the first computing device.
  - 8. The method of claim 1, wherein the software program file is a library module loaded into an executing software process on the first computing device and the network access attempt is associated with the executing software process.
  - 9. The method of claim 1, further comprising:
    - evaluating a second criterion to determine whether the second criterion overrides the first criterion, the second criterion including a network access policy for one or more software program files having a trust status defined as untrusted.
  - 10. The method of claim 9, wherein a network protection device intercepts electronic packets of the network traffic associated with the software program file and applies a restriction rule to the electronic packets, wherein the restriction rule is created using the network access policy selected from a group of network access policies, the group consisting of:
    - blocking all inbound electronic packets to the first computing device and all outbound electronic packets from the first computing device;
      
      blocking all inbound electronic packets to the first computing device;
      
      blocking all outbound electronic packets from the first computing device;
      
      blocking all outbound electronic packets from the first computing device to a specified network subnet;
      
      blocking all outbound electronic packets from the first computing device to the Internet and allowing all outbound electronic packets from the first computing device to a specified subnet;
      
      blocking all outbound electronic packets from the first computing device to domain name system (DNS) servers;
      
      blocking all outbound electronic packets from the first computing device using simple mail transfer protocol (SMTP);
      
      blocking all outbound electronic packets from the first computing device to an Internet Relay Chat (IRC) server;
      
      blocking all outbound electronic packets having a source address, a source port, a destination address, and a destination port matching a source address, a source port, a destination address, and a destination port of the network access attempt; and
      
      blocking all inbound electronic packets having a source address, a source port, a destination address, and a destination port matching a source address, a source port, a destination address, and a destination port of the network access attempt.

11. Logic encoded in one or more tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;
  
  evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and
  
  creating a restriction rule to block the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.
- View Dependent Claims (12, 13, 14)
- - 12. The logic of claim 11, the one or more processors being operable to perform further operations comprising:
    - pushing the restriction rule to a network protection device, wherein the network protection device intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic.
  - 13. The logic of claim 11, the one or more processors being operable to perform further operations comprising:
    - searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file, wherein the trust status of the software program file is defined as untrusted if the software program file is not included in the whitelist.
  - 14. The logic of claim 11, the one or more processors being operable to perform further operations comprising:
    - evaluating a second criterion to determine whether the second criterion overrides the first criterion, wherein the second criterion includes a network access policy for one or more software program files having a trust status defined as untrusted.

15. An apparatus, comprising:
- a protection module;
  
  one or more processors operable to execute instructions associated with the protection module, the one or more processors being operable to perform further operations comprising;
  
  receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;
  
  evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and
  
  creating a restriction rule to block the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.
- View Dependent Claims (16, 17)
- - 16. The apparatus of claim 15, wherein the one or more processors are operable to perform further instructions, including:
    - pushing the restriction rule to a network protection device, wherein the network protection device intercepts network traffic associated with the software program file and applies the restriction rule to the network traffic.
  - 17. The apparatus of claim 15, wherein the one or more processors are operable to perform further instructions, including:
    - searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file, wherein the trust status of the software program file is defined as untrusted if the software program file is not included in the whitelist.

18. A method, comprising:
- receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;
  
  evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and
  
  creating a logging rule to log event data related to the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of claim 18, further comprising pushing the logging rule to a network protection device, wherein the network protection device intercepts the network traffic associated with the software program file and logs event data related to the network traffic.
  - 20. The method of claim 19, further comprising:
    - receiving the event data logged by the network protection device;
      
      using selected data from the event data to search a process traffic mapping element for the software program file associated with the network traffic; and
      
      updating a logged events memory element to include an entry identifying the software program file.
  - 21. The method of claim 20, wherein the selected data used to search the process traffic mapping element includes a source address and port number and a destination address and port number.
  - 22. The method of claim 20 wherein the selected data used to search the process traffic mapping element includes a rule identifier corresponding to the logging rule.
  - 23. The method of claim 18, further comprising:
    - searching a whitelist identifying trustworthy software program files to determine whether the software program file is identified in the whitelist, wherein the trust status of the software program file is defined as untrusted if the software program file is not identified in the whitelist.
  - 24. The method of claim 18, wherein the software program file is an executable file and the network access attempt is associated with an executing software process initiated by the executable file on the computing device.
  - 25. The method of claim 18, wherein the software program file is a library module loaded into an executing software process and the network access attempt is associated with the executing software process.

26. Logic encoded in one or more tangible media that includes code for execution and when executed by one or more processors is operable to perform the operations comprising:
- receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;
  
  evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and
  
  creating a logging rule to log event data related to the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.
- View Dependent Claims (27, 28, 29)
- - 27. The logic of claim 26, the one or more processors operable to perform further operations comprising:
    - pushing the logging rule to a network protection device, wherein the network protection device intercepts the network traffic associated with the software program file and logs event data related to the network traffic.
  - 28. The logic of claim 27, the one or more processors operable to perform further operations comprising:
    - receiving the event data logged by the network protection device;
      
      using selected data from the event data to search a process traffic mapping element for the software program file associated with the network traffic; and
      
      updating a logged events memory element to include an entry identifying the software program file.
  - 29. The logic of claim 26, the one or more processors operable to perform further operations comprising:
    - searching a whitelist identifying trustworthy software program files to determine whether the software program file is identified in the whitelist, wherein the trust status of the software program file is defined as untrusted if the software program file is not identified in the whitelist.

30. An apparatus, comprising:
- a protection module; and
  
  one or more processors operable to execute instructions associated with the protection module, including;
  
  receiving information related to a network access attempt on a first computing device, the information identifying a software program file associated with the network access attempt;
  
  evaluating a first criterion to determine whether network traffic associated with the software program file is permitted; and
  
  creating a logging rule to log event data related to the network traffic if the network traffic is not permitted, wherein the first criterion includes a trust status of the software program file.
- View Dependent Claims (31, 32, 33)
- - 31. The apparatus of claim 30, the one or more processors operable to execute further instructions comprising:
    - pushing the logging rule to a network protection device, wherein the network protection device intercepts the network traffic associated with the software program file and logs event data related to the network traffic.
  - 32. The apparatus of claim 31, the one or more processors operable to execute further instructions comprising:
    - receiving the event data logged by the network protection device;
      
      using selected data from the event data to search a process traffic mapping element for the software program file associated with the network traffic; and
      
      updating a logged events memory element to include an entry identifying the software program file.
  - 33. The apparatus of claim 30, the one or more processors operable to execute further instructions comprising:
    - searching a whitelist identifying trustworthy software program files to determine whether the software program file is identified in the whitelist, wherein the trust status of the software program file is defined as untrusted if the software program file is not identified in the whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Reese, David P. Jr.

Granted Patent

US 8,938,800 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

System and Method for Network Level Protection Against Malicious Software

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

259 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Network Level Protection Against Malicious Software

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

259 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links